How to protect against CSRF by default in ASP.NET MVC 4?

Question

Is there a way to ensure ASP.NET MVC 4 forms are protected against CSRF by default?

For instance, is there a way to have AntiForgeryToken automatically

Answer 1

You can use a filter provider with a condition that the filter ValidateAntiForgeryTokenAttribute() be applied whenever HttpContext.Request.HttpMethod == "POST".

I essentially followed the generic approach described by Phil Haack, and added the appropriate condition:

// Ensure all POST actions are automatically decorated with the ValidateAntiForgeryTokenAttribute.
( c, a ) => string.Equals( c.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase ) ?
 new ValidateAntiForgeryTokenAttribute() : null